Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?

83 views
Skip to first unread message

vazm...@gmail.com

unread,
Apr 27, 2016, 12:27:52 PM4/27/16
to mozilla-dev-s...@lists.mozilla.org
Hi ! I read "https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/" article but my question is what about Client authentication certificates that are issued using SHA-1 like Qualified Certificates issued to clients in order to make client authenticated SSL connection and sign/encrypt/decrypt documents? Are they going to be valid and until when ?

Richard Barnes

unread,
Apr 27, 2016, 1:54:56 PM4/27/16
to vazm...@gmail.com, mozilla-dev-s...@lists.mozilla.org
For client certificates, it doesn't really matter what Mozilla thinks -- it
matters what the website thinks when you present the client cert.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

Peter Bowen

unread,
Apr 27, 2016, 2:25:55 PM4/27/16
to Richard Barnes, mozilla-dev-s...@lists.mozilla.org, vazm...@gmail.com
It does to a certain extent. If I have a certificate that uses a
512-bit RSA key and is signed using RSAwithMD2, will Mozilla even
attempt to use that certificate for client authentication?

Richard Barnes

unread,
Apr 27, 2016, 2:44:27 PM4/27/16
to Peter Bowen, mozilla-dev-s...@lists.mozilla.org, vazm...@gmail.com
Well, now you've made me go and try it. I couldn't get OpenSSL to use
RSAwithMD2, but it works fine with MD5:

openssl req -x509 -out client-cert.pem -new -newkey rsa:512 -md5 -nodes
-keyout client-priv.pem
openssl pkcs12 -export -in client-cert.pem -inkey client-priv.pem -out
client.p12

# Preferences > Advanced > Certificates > View Certificates > Your
Certificates
# Import the p12
# Configure /etc/hosts to point example.com to 127.0.0.1

openssl req -x509 -out server-cert.pem -new -newkey rsa:2048 -sha256 -nodes
-keyout server-priv.pem
openssl s_server -cert server-cert.pem -key server-priv.pem -accept 8080
-www -Verify 0

# Navigate to https://example.com:8080/
# Add an exception for the server cert
# Note that the client cert you just imported is offered in the prompt
# Select the client cert you just imported
# Note that the server accepts the client cert
0 new messages